" hipaa Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘hipaa’

HIPAA-Compliant Email Checklist – 8 Things You Need to Know

Tuesday, August 14th, 2018

The Health Insurance Portability and Accountability Act (HIPAA) applies to protected health information (PHI). When stored or transmitted electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard the integrity and confidentiality of electronic protected health information (ePHI). The most common way in which ePHI is shared is via email. No wonder then that HIPAA-compliant email security is a critical concern for healthcare organizations, with a majority preferring to outsource this item to knowledgeable providers.

HIPAA compliant email checklist

The HIPAA email security rule

The HIPAA Security Rule pertaining to email explicitly requires adequate protection for all patient data and does not endorse or prohibit the use of any specific technologies to ensure robust protection. The rule lays down four standards:

Read the rest of this post »

HIPAA Email: Does it Require Encryption?

Tuesday, July 31st, 2018

HIPAA’s encryption requirements fall in a grey area. This is mainly due to two reasons:

  • encryption is required when ‘deemed appropriate’, which means email encryption is not absolutely necessary and ‘mutual consent’ can be used in place of encryption.
  • there are a number of ‘addressable requirements’ pertaining to the technical safeguards as far as ePHI encryption is concerned

What exactly is mutual consent?

Mutual consent refers to a mutual understanding between doctor and patient that email containing ePHI can be sent to patients’ email account without encryption. Patients should communicate their approval in writing after being informed of the security risks and understanding that a secure option is available. You must additionally maintain all records of mutual consent.

HIPAA Email Encryption

Mutual consent does not waive off other HIPAA-related requirements. You must still use HIPAA complaint systems, log and audit non-encryption choices, and back-up and archive all email communications sent insecurely, etc.

Encryption at rest is ‘addressable’

‘Addressable’ means that the safeguard should be implemented or an alternative to the safeguard that delivers the same results should be implemented. In the absence of both, you should document and justify why no action has been taken with regard to the safeguard.

Read the rest of this post »

What Level of SSL or TLS is Required for HIPAA Compliance?

Saturday, June 2nd, 2018

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone (see the POODLE attacks, for example); TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, protocol versions supported (e.g., 1.0, 1.1, or 1.2) anf which “ciphers” are permitted have the greatest impact on security.  A “cipher” specifies encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated.   Some ciphers that have long been used, such as RC4, have become weak over time and should never be used in secure environments.  Other ciphers provide protection against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

What level of TLS is required by HIPAA?

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance for an appropriate and compliant level TLS security.  Simply “turning on TLS” without also configuring it appropriately is likely to leave your transmission encryption non-complaint.  

Read the rest of this post »

TLS Exclusive: HIPAA-compliant email marketing just got a whole lot better

Thursday, May 10th, 2018

If you are a healthcare organization and have to abide by HIPAA regulations, you may be struggling with HIPAA-compliant email marketing.  Besides getting patient consent, there is the whole concern that the marketing email messages need to be secured, as in many cases the marketing messages plus the addresses or list being used imply something about the recipients … something ePHI-related.

SMTP TLS Exclusive

It is a best practice to use a HIPAA-compliant email marketing service to send healthcare-related email marketing messages, newsletters, appointment reminder emails, etc.  Such a service signs the required HIPAA Business Associate Agreement with you, takes care of your data, and ensures that your email messages go securely to your recipients.

Read the rest of this post »

When can sending TLS-Secured Email be NOT HIPAA Compliant?

Tuesday, May 1st, 2018

In a question recently submitted to “Ask Erik,” John asked:

“How does sending a TLS-encrypted email sometimes become non-compliant?  Lets says I send an email from my Office 365 Business account to a gmail.com account which both support TLS encryption.  Is it because I do not know what path and what servers the email has to go through?  Does each server have to decrypt the email and is that when it becomes non-compliant?  I love the Luxsci forms by the way!”

What is TLS email not HIPAA compliant?
This is a great question!  In a recent survey that LuxSci did, less than 50% the people interested in secure email even knew what TLS is and how it works.  So it is not surprising that there is a lot of confusion out there about what is acceptable for compliance and what is not.

Read the rest of this post »

LUXSCI